[Security] E2EE & transport correctness — TLS policy floor, OMEMO/OTR/PGP fixes, downgrade/cert-failure visibility #147

Open
opened 2026-07-03 10:28:09 +00:00 by jabber.developer2 · 0 comments
Collaborator

End-to-end and transport security correctness: TLS policy floor + downgrade/cert-failure visibility, OMEMO/OTR/PGP correctness, CSPRNG, and update-check / OS-version privacy.

Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.

Subtasks & findings

T04 — Security-event log visibility (WARN on downgrade/cert/auth fail)

Owner: Either · Decision: M / C · Effort: ~0.5d

Promote downgrade/cert-fail/auth-fail to WARN; shared theme.

  • REQ-LOG-01 (medium · m) — SASL auth failure at INFO; TLS cert-fail logs nothing (below WARN filter) (merges CIS-8.2)
    • Evidence: server_events.c:207-208,1135-1200
    • Fix: Promote sv_ev_failed_login to log_warning; add log_warning in sv_ev_certfail before the prompt (theme-shared with REQ-LOG-02)
    • Maps to: NIST DE.CM-06/DE.AE-02; ISO A.8.15/A.8.16; CIS 8.2
  • REQ-LOG-02 (medium · m) — TLS-disabled/handshake-fail/see-other-host/insecure-login are DEBUG-only
    • Evidence: connection.c:191,367,923-928
    • Fix: Emit log_warning on all four downgrade conditions (theme-shared with REQ-LOG-01)
    • Maps to: NIST DE.AE-02/DE.CM-06; ISO A.8.16/A.8.15
  • REQ-AUTH-03 (high · c) — Insecure transport flags logged at debug, not WARN
    • Evidence: connection.c:201-213
    • Fix: Split DISABLE_TLS/LEGACY_*/TRUST_TLS to log_warning + cons_show so the downgrade is visible
    • Maps to: NIST PR.AA-03/PR.DS-02; ISO A.5.17/A.8.5/A.8.9/A.8.20; CIS 8.2

T05 — TLS transport policy hardening (allow→mandatory, per-transfer warn)

Owner: Either · Decision: M · Effort: ~1.5–2d

allow-policy TLS floor; gate in-band registration; per-transfer insecure warning.

  • REQ-CRY-03 (high · m) — tls.policy=allow gives silent opportunistic STARTTLS; in-band registration sends creds cleartext without TLS (merges REQ-CIS-08-cry)
    • Evidence: common.c:406; connection.c:185-194,397-431
    • Fix: Map allow→MANDATORY_TLS floor (or loud WARN); enforce TLS-required-or-fail before in-band registration sends credentials; integration test vs no-STARTTLS server (shared with REQ-CIS-08)
    • Maps to: NIST PR.DS-02/PR.PS-01; ISO A.8.20/A.8.9/A.8.24; CIS 15.4
  • REQ-CFG-01 (medium · m) — tls.policy=trust silently disables curl verify on file transfers with no per-transfer warning
    • Evidence: http_upload.c:242-244; http_download.c:153-155
    • Fix: One shared message helper emitting a per-transfer insecure warning at both sites (aesgcm_download inherits)
    • Maps to: NIST PR.AA-03/PR.DS-02/PR.DS-10; ISO A.8.9/A.8.24/A.5.14; CIS 9.6

T06 — Update-check & version-reveal privacy

Owner: Either · Decision: M · Effort: ~0.5–1d

https+VERIFY on update check; default REVEAL_OS off + version-omit pref.

  • REQ-VUL-02 (medium · m) — release_get_latest never sets VERIFY*/https-only on update check
    • Evidence: common.c:459-482
    • Fix: Set VERIFYPEER=1L/VERIFYHOST=2L, constrain PROTOCOLS/redirect to https, tighten version regex; malformed-version unit test
    • Maps to: NIST ID.RA-01/PR.DS-02; ISO A.8.8/A.8.24
  • REQ-VUL-03 (medium · m) — PREF_REVEAL_OS defaults TRUE; no -omit pref (peer fingerprinting)
    • Evidence: preferences.c:2692,2706
    • Fix: Default PREF_REVEAL_OS OFF; add an include_version pref gating the child (iq.c:1687-1728); stabber test
    • Maps to: NIST PR.AA-05/PR.DS-02; ISO A.8.8/A.8.24; CIS 4.1/16.7

T09 — OMEMO/crypto correctness

Owner: Either · Decision: M / C · Effort: ~2–3d · Investigate: investigate CRY-01/02/09 (reachability/product)

NULL-id echo guard, opportunistic-OTR gate, CSPRNG, trust transitions, unsigned underflow.

  • REQ-CRY-01 (medium · m (investigate)) — MUC OMEMO caller logs/echoes plaintext to history DB on NULL id (send failure)
    • Evidence: event/client_events.c:200-203
    • Fix: Wrap the three MUC-path log/echo lines in if (id != NULL) like the 1:1 path (:138,148,157)
    • Maps to: NIST PR.DS-02/PR.IR-01; ISO A.8.24/A.8.26
  • REQ-CRY-02 (medium · m (investigate)) — OTR-opportunistic first message bypasses allow_unencrypted_message gate
    • Evidence: otr.c:332-339,425-428
    • Fix: Consult allow_unencrypted_message before the tagged cleartext send; return without sending if disallowed; add block-mode test
    • Maps to: NIST PR.DS-02/PR.IR-01; ISO A.8.24/A.5.10
  • REQ-CRY-07 (medium · c) — Non-CSPRNG g_rand_* used for stanza IDs and profanity_instance_id HMAC key
    • Evidence: common.c:712-717; connection.c:808,1123
    • Fix: Rewrite get_random_string to draw from gcry_create_nonce (already in-tree at omemo.c:2076); handle modulo bias; one helper covers all callers
    • Maps to: NIST PR.DS-02; ISO A.8.24
  • REQ-CRY-09 (medium · m (investigate)) — blind/firstusage OMEMO trust transitions driven from inbound handlers
    • Evidence: omemo.c:608,698
    • Fix: Product decision then gate/surface the persisted-trust write so manual never auto-trusts from inbound while blind/firstusage still emit a visible notice; tests
    • Maps to: NIST PR.AA-03/PR.AA-04; ISO A.5.31/A.5.17
  • REQ-MEM-05 (medium · m) — identity_public_key_len-- lacks a >0 guard (unsigned underflow)
    • Evidence: omemo.c:1437
    • Fix: Reject/early-return when signal_buffer_len==0 before the decrement
    • Maps to: NIST PR.PS-01; ISO A.8.28

Checklist

T04 — Security-event log visibility (WARN on downgrade/cert/auth fail)

  • REQ-LOG-01 · medium · M — SASL auth failure at INFO; TLS cert-fail logs nothing (below WARN filter) (merges CIS-8.2)
  • REQ-LOG-02 · medium · M — TLS-disabled/handshake-fail/see-other-host/insecure-login are DEBUG-only
  • REQ-AUTH-03 · high · C — Insecure transport flags logged at debug, not WARN

T05 — TLS transport policy hardening (allow→mandatory, per-transfer warn)

  • REQ-CRY-03 · high · M — tls.policy=allow gives silent opportunistic STARTTLS; in-band registration sends creds cleartext without TLS (merges REQ-CIS-08-cry)
  • REQ-CFG-01 · medium · M — tls.policy=trust silently disables curl verify on file transfers with no per-transfer warning

T06 — Update-check & version-reveal privacy

  • REQ-VUL-02 · medium · M — release_get_latest never sets VERIFY*/https-only on update check
  • REQ-VUL-03 · medium · M — PREF_REVEAL_OS defaults TRUE; no -omit pref (peer fingerprinting)

T09 — OMEMO/crypto correctness

  • REQ-CRY-01 · medium · M · investigate — MUC OMEMO caller logs/echoes plaintext to history DB on NULL id (send failure)
  • REQ-CRY-02 · medium · M · investigate — OTR-opportunistic first message bypasses allow_unencrypted_message gate
  • REQ-CRY-07 · medium · C — Non-CSPRNG g_rand_* used for stanza IDs and profanity_instance_id HMAC key
  • REQ-CRY-09 · medium · M · investigate — blind/firstusage OMEMO trust transitions driven from inbound handlers
  • REQ-MEM-05 · medium · M — identity_public_key_len-- lacks a >0 guard (unsigned underflow)

Notes

  • Investigate first (verify/scope before implementing): REQ-CRY-01, REQ-CRY-02, REQ-CRY-09.
End-to-end and transport security correctness: TLS policy floor + downgrade/cert-failure visibility, OMEMO/OTR/PGP correctness, CSPRNG, and update-check / OS-version privacy. Part of #144. Decision legend: **M** must-do, **C** could-do, **W** won't-do (this cycle); *investigate* = verify the problem is real / scope it before implementing. ## Subtasks & findings ### T04 — Security-event log visibility (WARN on downgrade/cert/auth fail) _Owner:_ Either · _Decision:_ M / C · _Effort:_ ~0.5d Promote downgrade/cert-fail/auth-fail to WARN; shared theme. - **REQ-LOG-01** (medium · _m_) — SASL auth failure at INFO; TLS cert-fail logs nothing (below WARN filter) (merges CIS-8.2) - Evidence: `server_events.c:207-208,1135-1200` - Fix: Promote sv_ev_failed_login to log_warning; add log_warning in sv_ev_certfail before the prompt (theme-shared with REQ-LOG-02) - Maps to: NIST DE.CM-06/DE.AE-02; ISO A.8.15/A.8.16; CIS 8.2 - **REQ-LOG-02** (medium · _m_) — TLS-disabled/handshake-fail/see-other-host/insecure-login are DEBUG-only - Evidence: `connection.c:191,367,923-928` - Fix: Emit log_warning on all four downgrade conditions (theme-shared with REQ-LOG-01) - Maps to: NIST DE.AE-02/DE.CM-06; ISO A.8.16/A.8.15 - **REQ-AUTH-03** (high · _c_) — Insecure transport flags logged at debug, not WARN - Evidence: `connection.c:201-213` - Fix: Split DISABLE_TLS/LEGACY_*/TRUST_TLS to log_warning + cons_show so the downgrade is visible - Maps to: NIST PR.AA-03/PR.DS-02; ISO A.5.17/A.8.5/A.8.9/A.8.20; CIS 8.2 ### T05 — TLS transport policy hardening (allow→mandatory, per-transfer warn) _Owner:_ Either · _Decision:_ M · _Effort:_ ~1.5–2d allow-policy TLS floor; gate in-band registration; per-transfer insecure warning. - **REQ-CRY-03** (high · _m_) — tls.policy=allow gives silent opportunistic STARTTLS; in-band registration sends creds cleartext without TLS (merges REQ-CIS-08-cry) - Evidence: `common.c:406; connection.c:185-194,397-431` - Fix: Map allow→MANDATORY_TLS floor (or loud WARN); enforce TLS-required-or-fail before in-band registration sends credentials; integration test vs no-STARTTLS server (shared with REQ-CIS-08) - Maps to: NIST PR.DS-02/PR.PS-01; ISO A.8.20/A.8.9/A.8.24; CIS 15.4 - **REQ-CFG-01** (medium · _m_) — tls.policy=trust silently disables curl verify on file transfers with no per-transfer warning - Evidence: `http_upload.c:242-244; http_download.c:153-155` - Fix: One shared message helper emitting a per-transfer insecure warning at both sites (aesgcm_download inherits) - Maps to: NIST PR.AA-03/PR.DS-02/PR.DS-10; ISO A.8.9/A.8.24/A.5.14; CIS 9.6 ### T06 — Update-check & version-reveal privacy _Owner:_ Either · _Decision:_ M · _Effort:_ ~0.5–1d https+VERIFY on update check; default REVEAL_OS off + version-omit pref. - **REQ-VUL-02** (medium · _m_) — release_get_latest never sets VERIFY*/https-only on update check - Evidence: `common.c:459-482` - Fix: Set VERIFYPEER=1L/VERIFYHOST=2L, constrain PROTOCOLS/redirect to https, tighten version regex; malformed-version unit test - Maps to: NIST ID.RA-01/PR.DS-02; ISO A.8.8/A.8.24 - **REQ-VUL-03** (medium · _m_) — PREF_REVEAL_OS defaults TRUE; no <version>-omit pref (peer fingerprinting) - Evidence: `preferences.c:2692,2706` - Fix: Default PREF_REVEAL_OS OFF; add an include_version pref gating the <version> child (iq.c:1687-1728); stabber test - Maps to: NIST PR.AA-05/PR.DS-02; ISO A.8.8/A.8.24; CIS 4.1/16.7 ### T09 — OMEMO/crypto correctness _Owner:_ Either · _Decision:_ M / C · _Effort:_ ~2–3d · _Investigate:_ investigate CRY-01/02/09 (reachability/product) NULL-id echo guard, opportunistic-OTR gate, CSPRNG, trust transitions, unsigned underflow. - **REQ-CRY-01** (medium · _m (investigate)_) — MUC OMEMO caller logs/echoes plaintext to history DB on NULL id (send failure) - Evidence: `event/client_events.c:200-203` - Fix: Wrap the three MUC-path log/echo lines in if (id != NULL) like the 1:1 path (:138,148,157) - Maps to: NIST PR.DS-02/PR.IR-01; ISO A.8.24/A.8.26 - **REQ-CRY-02** (medium · _m (investigate)_) — OTR-opportunistic first message bypasses allow_unencrypted_message gate - Evidence: `otr.c:332-339,425-428` - Fix: Consult allow_unencrypted_message before the tagged cleartext send; return without sending if disallowed; add block-mode test - Maps to: NIST PR.DS-02/PR.IR-01; ISO A.8.24/A.5.10 - **REQ-CRY-07** (medium · _c_) — Non-CSPRNG g_rand_* used for stanza IDs and profanity_instance_id HMAC key - Evidence: `common.c:712-717; connection.c:808,1123` - Fix: Rewrite get_random_string to draw from gcry_create_nonce (already in-tree at omemo.c:2076); handle modulo bias; one helper covers all callers - Maps to: NIST PR.DS-02; ISO A.8.24 - **REQ-CRY-09** (medium · _m (investigate)_) — blind/firstusage OMEMO trust transitions driven from inbound handlers - Evidence: `omemo.c:608,698` - Fix: Product decision then gate/surface the persisted-trust write so manual never auto-trusts from inbound while blind/firstusage still emit a visible notice; tests - Maps to: NIST PR.AA-03/PR.AA-04; ISO A.5.31/A.5.17 - **REQ-MEM-05** (medium · _m_) — identity_public_key_len-- lacks a >0 guard (unsigned underflow) - Evidence: `omemo.c:1437` - Fix: Reject/early-return when signal_buffer_len==0 before the decrement - Maps to: NIST PR.PS-01; ISO A.8.28 ## Checklist **T04 — Security-event log visibility (WARN on downgrade/cert/auth fail)** - [ ] **REQ-LOG-01** · medium · M — SASL auth failure at INFO; TLS cert-fail logs nothing (below WARN filter) (merges CIS-8.2) - [ ] **REQ-LOG-02** · medium · M — TLS-disabled/handshake-fail/see-other-host/insecure-login are DEBUG-only - [ ] **REQ-AUTH-03** · high · C — Insecure transport flags logged at debug, not WARN **T05 — TLS transport policy hardening (allow→mandatory, per-transfer warn)** - [ ] **REQ-CRY-03** · high · M — tls.policy=allow gives silent opportunistic STARTTLS; in-band registration sends creds cleartext without TLS (merges REQ-CIS-08-cry) - [ ] **REQ-CFG-01** · medium · M — tls.policy=trust silently disables curl verify on file transfers with no per-transfer warning **T06 — Update-check & version-reveal privacy** - [ ] **REQ-VUL-02** · medium · M — release_get_latest never sets VERIFY*/https-only on update check - [ ] **REQ-VUL-03** · medium · M — PREF_REVEAL_OS defaults TRUE; no <version>-omit pref (peer fingerprinting) **T09 — OMEMO/crypto correctness** - [ ] **REQ-CRY-01** · medium · M · investigate — MUC OMEMO caller logs/echoes plaintext to history DB on NULL id (send failure) - [ ] **REQ-CRY-02** · medium · M · investigate — OTR-opportunistic first message bypasses allow_unencrypted_message gate - [ ] **REQ-CRY-07** · medium · C — Non-CSPRNG g_rand_* used for stanza IDs and profanity_instance_id HMAC key - [ ] **REQ-CRY-09** · medium · M · investigate — blind/firstusage OMEMO trust transitions driven from inbound handlers - [ ] **REQ-MEM-05** · medium · M — identity_public_key_len-- lacks a >0 guard (unsigned underflow) ## Notes - **Investigate first** (verify/scope before implementing): REQ-CRY-01, REQ-CRY-02, REQ-CRY-09.
jabber.developer added the
Kind/Security
Priority
Medium
3
labels 2026-07-03 10:32:13 +00:00
jabber.developer added this to the Plans (2025-2026) project 2026-07-03 10:32:19 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devs/cproof#147
No description provided.